Wednesday, May 21, 2008

There was a botting banwave that hit both Glider and Innerspace users yesterday. I’ve mentioned this before, but “bans” happen all the time and typically on Monday/Tuesdays on or around the maintenance schedule. A couple hundred people can get swept up in these weekly bans and they are often (mistakenly) confused with a banwave. Most of these types of bans come from player reports.

A real “banwave” however, hits virtually every user of a particular botting software and impacts thousands (even hundreds of thousands) of accounts. For Warcraft, the main two are Lavish’s Innerspace and MDY’s Glider. Technically, Innerspace has little to do with botting itself and has legitimate uses. BUT – since there are several extensions to the product that enable botting to occur (one of which is written by Lax, the author of Innerspace), Blizzard lumps anyone using it into the same category.

Since “banwaves” hit such large numbers of botters, the waves are not based on player reports but on some technical victory. In the past, these have always been attributed to an undetected update or change in Warden, which is Blizzard’s client-side anti-cheat program. Many botters have long suspected that Blizzard will implement more server-side detection, but with the exception of things like teleport and speed hacks, server-side detection has never been something Blizzard has implemented to detect cheats.

The last major banwave occurred about this time last year in early June. At the time, only ISXWarden (an extension for Innerspace and written by Lax) was capable of detecting a change in Warden. When it detects a change, it immediately shuts down Warcraft before any positive response can be verified by Blizzard. MDY’s Glider was less sophisticated and couldn’t detect these changes. However, Innerspace users often warned Glider users whenever Warden was updated. A few Glider users would get caught in the crosshairs, but many would avoid bans as Mercury (the author of Glider) made his product unusable whenever he received forewarning from the ISX community.

Prior to last June, ISXWarden and Innerspace had largely avoided any banwave by Blizzard due to Warden. The only real exception was when Warden was first introduced and took the entire botting community by surprise. In fact, many Innerspace users believe that the warnings they provided to Glider users only served to draw greater attention to them as the larger threat. The absolutely brilliant way in which Blizzard attacked both botting communities last June almost seems to validate that idea.

Sometime last may, Blizzard finally found a way to successfully identify Innerspace users protected by ISXWarden. Rather than ban these players outright, they simply marked those accounts as Innerspace users. Blizzard then proceeded to roll out a new version of Warden to everyone BUT the Innerspace users. Innerspace users were never alerted to the Warden change because they never received the newer version! Glider users (no longer warned by Innerspace users) were happily botting away while easily being detected by Warden.

Unfortunately, the exposure time was limited to about 48 hours because Mercury (Glider author) discovered the change while beta testing a similar feature to ISXWarden for his product. This feature would later be known as Tripwire and was intended to discover changes to Warden. As soon as he was alerted to the new Warden, Mercury immediately disabled it’s use for his users.

Of course, for a good many Gliders, the damage was already done and anyone botting that weekend (around Memorial day) was banned on June 11th along with every single Innerspace user. It was the single largest banwave since the release of Warden and a major triumph for Blizzard in the war against botters. In fact, the Innerspace detection problem didn’t go away immediately and Innerspace users received another more minor banwave in early July. Lax didn’t successfully solve his issue until mid August.

A similar banwave (perhaps bigger) just occurred that has hit all Innerspace and Glider users. Kudos to Blizzard on the big win. According to Lax, Warden was not updated and so ISXWarden and Tripwire were not alerted. Instead, the detection method was implemented in the 2.4.2 client itself. It’s not uncommon for them to roll out new detections in the patches. It’s actually expected that they make changes and Mercury and Lax actively look for and most often find changes. This time – they obviously didn’t.

At the time of this writing, Lax already has a version up that he believes circumvents the latest detection method. I don’t doubt that Mercury will follow suit shortly with an updated Glider. This is a game of cat and mouse and it’s a war that Blizzard can’t win with client-side detection alone. BUT—what they can do is make this a costly war for the botters and I sincerely congratulate them on their success.

Yes, the botters will be back. I expect you can venture into the newbie zones over the next few days and find a bunch of new low levels roaming around happily botting away. BUT—this sets them back considerably. Just reading the forums where they post their bans reveals that many of these botters lost 2 to 5 accounts, including their Main in some cases.

More so, I think this teaches botters a valuable lesson. You may bot and you will likely even get away with it. But – if you keep doing it, then eventually you are going to get caught. It’s a virtual certainty that one day the people who you trust to protect you from detection will let you down due to human error. It really is a game of cat and mouse – and eventually, the cat catches the mouse. And when he does… no more mouse.